Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15/02/2024, 13:39
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20231222-en
General
-
Target
1.exe
-
Size
1.1MB
-
MD5
69e37fcc0df26cb81fd06e5dfb260144
-
SHA1
839808ef40530e153fdb1f0fdb390b56c1982b6d
-
SHA256
44751e144b4dae403bf009e1a5461d0b7ec7b0f5e95ae6b149e0c653e4ab7b17
-
SHA512
5361c923c58330ba71f72374341543a7863223592489526f3d561a7d6f010a3a63ce6559f85474458097ebc818b77073cfb5a648c4084a95d7eaa5c31f2e860c
-
SSDEEP
24576:pRmJkcoQricOIQxiZY1ia7oOq0/WkgZ6Xw1EGBHS:mJZoQrbTFZY1ia7oOLW6A1E+HS
Malware Config
Extracted
remcos
jnchinacp
jnchina.ydns.eu:1177
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-1632I1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1632-65-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1632-86-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/2204-90-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/580-64-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/580-99-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/2608-106-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
resource yara_rule behavioral1/memory/580-64-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1632-65-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/2840-68-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2840-69-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1632-86-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/2204-90-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/580-99-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1600-98-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/2608-106-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\resharing.vbs resharing.exe -
Executes dropped EXE 1 IoCs
pid Process 2744 resharing.exe -
Loads dropped DLL 1 IoCs
pid Process 1488 1.exe -
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts svchost.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0008000000018b11-12.dat autoit_exe behavioral1/files/0x0008000000018b11-15.dat autoit_exe behavioral1/files/0x0008000000018b11-16.dat autoit_exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 2744 set thread context of 2696 2744 resharing.exe 29 PID 2696 set thread context of 580 2696 svchost.exe 32 PID 2696 set thread context of 1632 2696 svchost.exe 33 PID 2696 set thread context of 2840 2696 svchost.exe 34 PID 2696 set thread context of 2608 2696 svchost.exe 35 PID 2696 set thread context of 2204 2696 svchost.exe 36 PID 2696 set thread context of 1600 2696 svchost.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 580 svchost.exe 2608 svchost.exe 580 svchost.exe 2608 svchost.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2744 resharing.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe 2696 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2840 svchost.exe Token: SeDebugPrivilege 1600 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2696 svchost.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1488 wrote to memory of 2744 1488 1.exe 28 PID 1488 wrote to memory of 2744 1488 1.exe 28 PID 1488 wrote to memory of 2744 1488 1.exe 28 PID 1488 wrote to memory of 2744 1488 1.exe 28 PID 2744 wrote to memory of 2696 2744 resharing.exe 29 PID 2744 wrote to memory of 2696 2744 resharing.exe 29 PID 2744 wrote to memory of 2696 2744 resharing.exe 29 PID 2744 wrote to memory of 2696 2744 resharing.exe 29 PID 2744 wrote to memory of 2696 2744 resharing.exe 29 PID 2696 wrote to memory of 580 2696 svchost.exe 32 PID 2696 wrote to memory of 580 2696 svchost.exe 32 PID 2696 wrote to memory of 580 2696 svchost.exe 32 PID 2696 wrote to memory of 580 2696 svchost.exe 32 PID 2696 wrote to memory of 580 2696 svchost.exe 32 PID 2696 wrote to memory of 1632 2696 svchost.exe 33 PID 2696 wrote to memory of 1632 2696 svchost.exe 33 PID 2696 wrote to memory of 1632 2696 svchost.exe 33 PID 2696 wrote to memory of 1632 2696 svchost.exe 33 PID 2696 wrote to memory of 1632 2696 svchost.exe 33 PID 2696 wrote to memory of 2840 2696 svchost.exe 34 PID 2696 wrote to memory of 2840 2696 svchost.exe 34 PID 2696 wrote to memory of 2840 2696 svchost.exe 34 PID 2696 wrote to memory of 2840 2696 svchost.exe 34 PID 2696 wrote to memory of 2840 2696 svchost.exe 34 PID 2696 wrote to memory of 2608 2696 svchost.exe 35 PID 2696 wrote to memory of 2608 2696 svchost.exe 35 PID 2696 wrote to memory of 2608 2696 svchost.exe 35 PID 2696 wrote to memory of 2608 2696 svchost.exe 35 PID 2696 wrote to memory of 2608 2696 svchost.exe 35 PID 2696 wrote to memory of 2204 2696 svchost.exe 36 PID 2696 wrote to memory of 2204 2696 svchost.exe 36 PID 2696 wrote to memory of 2204 2696 svchost.exe 36 PID 2696 wrote to memory of 2204 2696 svchost.exe 36 PID 2696 wrote to memory of 2204 2696 svchost.exe 36 PID 2696 wrote to memory of 1600 2696 svchost.exe 37 PID 2696 wrote to memory of 1600 2696 svchost.exe 37 PID 2696 wrote to memory of 1600 2696 svchost.exe 37 PID 2696 wrote to memory of 1600 2696 svchost.exe 37 PID 2696 wrote to memory of 1600 2696 svchost.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\outvaunts\resharing.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\farhgeqgzjjpitnu"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:580
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\puwagwbznrcukhjyhmgd"4⤵
- Accesses Microsoft Outlook accounts
PID:1632
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\swbkhpmbjzugvnxcyxbfcof"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\mdxcdogmxwy"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\xfduegrgleqfjuq"4⤵
- Accesses Microsoft Outlook accounts
PID:2204
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\hzqnfybhzmijtbmyse"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD59d2b593ead05857964a464aca049646c
SHA1294445d9a907b5fdf1f76037388b9079bf4b9993
SHA256e46fc1c745851b06f4bb993294f9b70bb9d116ca9f379169ebada199adc2b5a9
SHA5123c100ce34e250a5d3eee90f0bdfb97ba8454edd111feeb8f42889ddb63596da39cee9cfc49a011e158c027e50833b2a8517c314616c506efd8e02441a0e7ef4a
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
483KB
MD59dbad0aa8d1f4a6e7c5d3300f4a79911
SHA1278790865ad59208d4b82100a255e5eabbffa041
SHA256901d7920b2aa2272f92d09cda4d4dc56f5c5dc1d81ec4b1b15ab09e750085779
SHA512bbe9d8b5bb9d269bf0fc9f12e720ad51fecfdedb10d679d7e8115f49aca2d658b7cf50d51dc87cb03b47f53f61975bb742793b07d40582de1c3641760eca531a
-
Filesize
96KB
MD5e04d5020cdf6b54ca1aeafb897bb0de0
SHA13483ddcfc66d801c03a8c18506b489da38c5833b
SHA256fe6f63c2b6ae9d1bc7481a0ca3c2aac7187a9ef715043e1773f3d3ceed70a797
SHA5122298ba958ce9a721e6aafd0da706adeac7fe87d040778c278ed6931723318823036e5643b72ef0f3abebca9917c6f419eda4e2ab104370afdc19940dec9b14c2
-
Filesize
1.2MB
MD583652ef746cc7552e00aeb54c573ef9b
SHA19a17fa120f6785a36ba47004922f0973bd3c2592
SHA2560d1b66cca7315150920634abc79e4577af51dbff1e952141e39fc237e2fe26ba
SHA512cc5866d516e90c4998f1255a2ae60bbb4186cee0532c940fe56c4dda26ffacbc1d6af96b638685ad1c2e932f6c1e91cd9c71bd71259c43650869a76bdb2b9d93
-
Filesize
1.2MB
MD5220f535f8e88665d3fa1051916801a60
SHA13377c81da3a3ebc8e931eb583c28a6446de3df48
SHA256033966f1a8e7959997f4ae67fa0505b98a87ce0159e480b204d8cfe49d601aaa
SHA512850e86f405b7878d31723f13c8c43ab001ada3577bf3053246ef8b64bc9c48a2f6e6992aec1e9fc9b4e6f5da3388650bd3a198dbdebfed5d8dc2bdca51b3253d
-
Filesize
768KB
MD5628401eacfe473cb396f59eb990b32e8
SHA1c7cf7bb9ec6329f296a7cc666ce7cfb78f03e332
SHA256b93c1b783ffb0198868aad668ba1d24acf977df1cb9185624ba998bfb8bc1228
SHA51271ab1b73eb3787779c1743e98b4bb34b25bed889f365c0faacba407de8187a16b161121fbf6a8d80ae195853222a7045d6cc28dafeb74a3f4a4e967a3353f97c